What is a Privacy Policy? The Definitive Guide for 2023

Data privacy laws change every year and the requirements to comply with them get stricter and more stringent.

What’s common among these regulations is the timely and precise communication of how your business handles and processes personal data.

Building, updating, and maintaining your website’s privacy policy is a significant and necessary step to be compliant with major privacy laws such as GDPR, CCPA, PIPEDA, and more.

In this guide to privacy policies, we’ll define the term, help you learn how to spot a good privacy policy, find privacy policy examples in the wild, and build your own customized privacy policy.

What is a Privacy Policy?

A privacy policy is an end-to-end agreement that explains how you gather and process your clients’ personal information. This clause can also be referred to as a privacy notice or privacy statement. Privacy policies keep both companies and consumers protected by informing each other of their rights and responsibilities.

A privacy policy is essentially your business’ guarantee for how you will collect, use, store, and dispose of customer data. Customer data can cover a wide array of categories. From IP addresses or geolocations, to customer names, mailing addresses, and financial details, anything that can be used to identify visitors to your website qualifies as customer data. More importantly, data collection practices performed on anyone — whether they ever buy a product or employ your services — is covered by a privacy policy. 

Your privacy policy needs to address how you’re collecting data, the type of data you’re collecting, how it will be used and/or shared, how it will be stored and for how long, and how you will dispose of it. Privacy policies can be tricky because many business owners don’t realize that your privacy policy needs to address both domestic and international privacy concerns. 

Again, regardless of whether you ever have a legitamite customer from another jurisdiction, if you’re receiving web traffic from those locales (and collecting data on those individuals), you’re now legally liable for following the privacy regulations from that region. For example, if you receive traffic from Spain, you’re now bound to uphold data protections regulations outlined by the European Union under both the GDPR and the E-Privacy Directive. 

What is the Purpose of a Privacy Policy?

The purpose of a privacy policy is to show that you put your customers first. 81% of Americans believe they have a lack of control over how their data is processed, so it’s good business practice to show that you care about their interests.

A well-written privacy policy gives your users clarity about what data is collected, how it’s processed and handled, and whether it’s shared with third-parties. It builds brand trust and helps you close more sales. Plus, a privacy policy is required by law so that’s a solid reason for you to build one. 

Benefits of a Privacy Policy

A privacy policy helps you build trust with users, enhances your reputation, enables you to stay compliant with data regulations, and reduces the chance of fines. There are many benefits to building a privacy policy, and very little downside. 

You can create one for free with Enzuzo’s privacy policy generator.

Privacy Policy vs Cookie Policy: What’s the difference?

These terms seem similar but are different. A privacy policy explains how you handle personal information such as names, phone numbers, credit cards, and mailing addresses. 

A cookie policy discusses whether your users consent to track cookies — the tiny piece of code stored locally in your browser that monitors your website history.

Cookie banners pop up when you first visit a website, asking users if they agree to their use. A cookie manager can then record their responses and help users opt-out. Privacy policies, on the other hand, are usually only displayed when the user initiates an action on the website — such as signing up for a newsletter or completing a purchase.

Is a Privacy Policy Required by Law?

Yes, privacy polices are a legal requirement under several data privacy laws. The GDPR, CCPA, LGPD, and PoPIA all necessitate businesses to disclose how they store and handle user data.

The GDPR article 4 defines personal data and provides a framework for businesses for how to handle, store, and delete said data when requested. The CCPA, with its sister legislation the CPRA, does the same by necessitating that businesses disclose how they collect and store data.

As we mentioned at the start of this article, a privacy policy is a common element among global data privacy laws. And it applies even if you’re not physically present in those countries — as long as you’re doing business in places like California, the EU, Canada, and Brazil, you must incorporate a privacy policy in your website.

Do I Need a Privacy Policy on My Website?

We strongly suggest that you have a privacy policy on your website. Not only is it the law, but it’s also good user experience as well. So, yes, you absolutely do need a privacy policy on your website.

Here's what would happen if you didn't have a privacy policy.

Does a Privacy Policy Need to be on Every Page?

A privacy policy does not need to be on every page of your website. Enzuzo’s privacy policy, for example, is tucked away in the footer. 

That means it's accessible without being overbearing. We also recommend that you display the privacy policy when a user makes a transaction on your site. For ecommerce stores, this could be when a user is initiating checkout — showing the privacy policy helps them understand their rights and what data is collected.

You may also want to display your privacy policy when running lead gen campaigns. So if users input their email addresses in exchange for an ebook or a newsletter, showing them the privacy policy is an excellent method to build trust. 

Should You Copy a Privacy Policy?

We strongly advise against copying a privacy policy. It may seem like a quick workaround, but copying a privacy policy will hurt you in the long run. 

Every business is different and has its own jurisdictions, operating procedures, and internal guidelines. When you copy a privacy policy from one of your competitors or from a legal template you found on the internet, you run the risk of including clauses that are irrelevant and non-applicable to your business.

The best way to protect yourself is to use a privacy policy generator. The generator will ask you a few questions about your business and create a policy that’s unique and relevant to your industry.

Here’s What You Should Include in Your Privacy Policy

We understand that a privacy policy can feel like a complex legal document, especially considering that it’ll be scrutinized by your users. Don’t worry though, it’s not as complicated as it sounds. In this section, we'll show you how to spot a good privacy policy.

Here are the 7 key areas of a good privacy policy:

1. An introduction

The introduction of your privacy policy discusses your business, areas of operation, legal jurisdiction, and the kind of products or services you sell. It’s meant to be a broad explanation of your firm as well as to introduce any terms that you use later on in the document.

2. Personal data collection and use

We’re now getting into the details of your privacy policy. Your personal data collection section outlines the specific information that you gather of your customers. For example, it could be:

• Names
• Phone numbers
• Mailing address
• Credit card details
• Email address

This section can also be used to highlight what data is shared with third parties. For example, ecommerce companies may share information about orders with their email marketing partners or shipping partners. It should be clearly communicated in the privacy policy.

3. Personal data retention and deletion

A data retention and deletion section is an integral part of any privacy policy. This section covers how long data is retained on servers and how users can request that data be deleted. Note that a request for deletion of data is also a legal requirement in most countries.

4. Children’s data (if relevant)

Data for minors is supposed to be a separate category under laws like the GDPR. It’s considered to be more sensitive and must be treated as such. If you collect any data pertaining to children, you must make that clear in your privacy policy. 

5. How changes will be communicated

Privacy polices are never a static document. They can (and should) be updated for a myriad of reasons:

• New privacy laws in your country
• As your business grows
• When you add new products and services

As you change your privacy policy, your customers should also be kept in the know. This section of your policy can identify how you communicate these changes to your clients, whether it’s via email, mailing address, or more.

6. How to make a complaint

All privacy policies must also outline clearly how customers can make a complaint if they feel that their privacy conditions have not been met. In some cases, companies may have a privacy ombudsman that handles these matters. A data compliance offer is also a mandatory requirement under the GPDR, albeit loosely enforced.

Information here can include mailing addresses, phone numbers, email addresses, and online form submissions — giving users the option to choose from whatever is convenient to their needs.

7. Rights of Users

Again, as we mentioned previously, the privacy policy is meant to protect both users and companies. Users have manifold rights, since it’s essentially their data you’re borrowing. The better your communication around their rights, the higher the levels of trust.

Here are some things you may want to inform them about:

• The right to their information
• The right to rectify personal details
• The right to prevent data from being shared
• The right to delete their data
• The right to speak with a supervisor, if requested

Privacy Policy Examples

We have an excellent post about the best privacy policy examples on the internet if you’d like to go into more details. However, while you’re here, let’s show you a few privacy policy examples that hit it out of the park:

• Enzuzo’s privacy policy
• Coursera’s privacy policy
• Google’s privacy policy
• Telegram’s privacy policy

Do You Need a Lawyer for a Privacy Policy?

It depends. A lawyer can certainly help you draft a privacy policy, but it won’t be cheap. On the other hand, it will be professional and bound to withstand any legal threats. Privacy policy generators can do an equally good job though.

So if you have the cash and are looking for some added confidence, then yes go ahead and hire a lawyer for your privacy policy. If you would like to repurpose one for your needs, here’s a privacy policy template that you can tweak to your requirements. 

Privacy Policy Template

Here’s the template: Downloadable Privacy Policy Template

We definitely don’t recommend copy and pasting this template. Please take a look through it and adapt it to your business. Add your name, address, product & service information, and other key details that are relevant to your operations.

Enzuzo’s privacy policy template was developed by a human lawyer and is the basis of our privacy policy generator.

Fines for Non-Compliant Privacy Policies

If your privacy policy isn’t able to satisfy legal needs, there’s a realistic possibility of fines. Here is an overview of possible privacy policy fines:

GDPR: A failure to comply with GDPR means you can face fines of $20 million or up to 4% of your company's global annual turnover (whatever is higher).

PIPEDA: The maximum possible fine under PIPEDA, the Canadian privacy law, is $100,000. 

CPRA: You can be fined up to $7,500 for each CPRA violation and an additional $2,500 for an accidental breach. 

Conclusion

A privacy policy is a written statement that outlines how your company collects, processes, and protects personal data from users. If your company gathers any sensitive information from users, then it is important to have a privacy policy on your website.

Your privacy policy should contain information that explains whether you collect personal data, the reasons for collecting it, how it is collected, and the choices users have regarding their personal data. Your privacy policy should be easy to find on your website, preferably before users provide you with any personal data.

To create a legally compliant privacy policy, you can use a template or a privacy policy generator. However, if you decide to draft your own privacy policy, it is important to use plain and understandable language, keep paragraphs short, include links to other key policies, and highlight important information.

It is important to comply with privacy laws around the world to avoid serious financial penalties and damage to your company's reputation.

Further Reading about Privacy Policies:

- How to add privacy policy to your website
- Benefits of data privacy
- What is a privacy policy URL
- Website privacy policy checker: How to analyze privacy policy
- Add privacy policy to Wix
- Add privacy policy to Squarespace
- Best privacy policy examples
- Best privacy policy generators
- Enzuzo's privacy policy generator

Privacy Policy FAQs

Privacy policies are critical, but it’s understandable that you might have some questions. Check out these frequently asked questions or reach out to us if you have a question not covered below. 

Am I legally required to have a privacy policy?

Yes, you are. If there’s a chance that you might receive web traffic from consumers in jurisdictions that have privacy laws, you need to explicitly outline what user data you’re collecting, how it’s being used or shared, and how it will be disposed of. Additionally, many jurisdictions like California and the EU require that you give their citizens clear access to view the data that’s been collected, refuse for it to be shared, or request that you delete it. 

Can’t I just copy a privacy policy from another website?

If you’re feeling lucky and optimistic that their policy will completely match with your intentions, sure you could. But this can be dangerous for a few reasons. First, if the policy you’re copying isn’t even close to being compliant, you’re starting from a losing position. And as we’ve stated several times, if you’re caught being noncompliant, it’s the most expensive lesson you’ll ever learn.

Second, if you’re using consumer data differently than how the copied policy implies, you’re out of compliance. It’s best to create a fresh privacy policy that incorporates your business’ actions and provides the proper transparency for your business purposes.   

Aren’t privacy policies expensive?

Maybe once upon a time, the only option businesses had for staying compliant was hiring a compliance lawyer to draft a privacy policy. Thankfully, these days you can simply turn to Enzuzo’s privacy policy generator and create a free or low-cost privacy policy depending on your needs. 

Does my privacy policy have to be on my website?

We’re not saying that it has to be the first thing that displays on your home page. But yes, your privacy policy should be something that consumers can easily find. Most businesses simply create a dedicated page for their privacy policies and link to it through either the footer or header navigation.